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I.  Background 

The  networking  of  large  ADP  systerr.s  with  all  its  attendant 
benefits  is  becoming  commonplace  today.  However,  the 
careless  networking  of  ADP  systems  can  greatly  increase 
security  risks,  often  in  subtle  and  non-obvious  ways. 
Security  must  be  considered  on  a total  system  basis 
including  both  the  ADP  hosts  and  the  communications  network. 
This  paper  addresses  the  ADP  security  issues  as  they  affect 
processing  in  both  the  host  general  purpose  computers  and 
the  network  interface  comm.un ications  processors.  Pecently 
developed  "security  kernel"  technology  for  ADP  systems 
permits  construction  of  various  alternative  secure  networks. 
The  paper  also  addresses  communications  security  using 
encryption  devices  in  the  network. 


1.1  Need  for  Multi-Level  Security 

A major  problemi  with  computing  systems  in  the  military  today 
is  the  lack  of  effective  multi-level  security  controls.  The 
term  "multi-level  security  controls"  means  those  controls 
needed  to  process  several  levels  of  classified  material  from 
unclassified  through  compar tm.ented  top  secret  with 
simultaneous  access  to  the  system  (or  network)  by  users  with 
differing  levels  of  clearance.  The  lack  of  such  effective 
controls  in  all  of  today's  computer  operating  systems  has 
led  the  military  to  operate  computers  in  a closed 
environment  in  which  systems  are  dedicated  to  the  highest 
level  of  classified  material  and  all  users  are  required  to 
be  cleared  to  that  level.  Such  dedicated  systems  result  in 
extremely  inefficient  equipment  and  manpower  utilization  and 
have  often  resulted  in  the  acquisition  of  much  more  hardware 
than  would  otherwise  be  necessary.  In  addition,  many 
operational  requirements  cannot  be  met  by  dedicated  systems 
because  of  the  lack  of  direct,  rapid  multi-level  information 
sharing.  One  group  of  experts  <ANC72>  has  estimated  that 
these  additional  costs  may  amount  to  $100,000,000  per  year 
for  the  Air  Force  alone. 


1.2  Vulnerability  of  Current  Systems 

Tne  internal  controls  of  current  computers  have  repeatedly 
been  shown  insecure  through  penetration  exercises  on  such 
systems  as  CCCS,  WwMCCS,  IBM  360/370,  UNIVAC  1100,  FDP-10 
TEMEX,  and  others  <AND71 , KAR74,  ALF74,  ARB76>.  This 
inability  to  provide  effective  security  is  a fundamental 
weakness  of  contemporary  systems  and  cannot  be  corrected  by 
merely  modifying  or  patching  conventional  operating  systems. 
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Even  if  every  known  security  weakness  in  a particular  systeTi 
were  repaired,  there  would  be  no  basis  to  believe  that  every 
existing  weakness  had  been  found.  Further,  the 
modifications  required  to  repair  the  weaknesses  are 
typically  so  complex  as  to  have  a high  likelihood  of 
introducing  new  vulnerabilities.  Thus,  the  approach  of 
penetrating  the  system  and  fixinq  the  holes  never  reaches 
completeness  and  cannot  achieve  computer  security  (although 
it  can  provide  job  security  for  system  penetrators)  . 


1.3  Impact  of  Networks  on  Security 

The  computer  networks  that  are  beinq  constructed  today 
(ARPANET,  PWIN,  etc.)  do  not  have  adequate  security  for  the 
military.  As  a result,  these  networks  can  have  a major 
adverse  security  impact  by: 

1.  Dramatically  increasing  the  number  of  users  with 
potential  unauthorized  access. 

2.  Potentially  making  the  security  controls  on  a 
specific  host  irrelevant  by  making  information 
accessible  to  other  hosts  that  do  not  have  effective 
security  controls. 

3.  Introducing  additional  vulnerabilities  through  the 
lack  of  effective  security  controls  in  network 
elements,  e.g.,  insecure  network  communications 
processors. 


II.  Fundamental  Basis  for  Effective  ADP  Security  Controls 

To  develop  a demonstrably  secure  system,  one  must  start  with 
fundamental  understanding  of  v/hat  it  means  for  a computer 
system  to  be  "secure."  To  do  this,  one  can  model  security 
processing  using  the  concept  of  a reference  monitor  which 
mediates  all  accesses  to  information.  This  reference 
monitor  concept  must  be  applied  to  all  parts  of  s network  — 
the  ADP  host  systems  and  the  network  interface  processors. 


The  reference  monitor  (Fee  Figure  1)  must  implement  two 
basic  functions;  FEFFRFNCE  and  AUTHORIZE.  The  REFERENCE 
function  mediates  users'  accesses  to  information  and  decides 
whether  to  allow  an  access  based  on  an  authorization  matrix. 
The  AUTHORIZE  function  updates  the  authorization  matrix 
based  on  already  existing  authorizations. 
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The  authorization  matrix  is  like  that  of  lampson  <LAM71>. 

An  example  of  an  authorization  matrix  is  shown  in  Figure  2. 
In  this  example,  LSEPl  has  READ  access  to  FILF  A,  while 
USER2  has  FEAT,  WRITE,  and  CONTROL  access.  Therefore,  the 
reference  monitor  will  only  allow  OSERl  to  read  FILE  A,  but 
will  allow  USER2  to  read,  write,  or  change  the  access  to 
FILE  A.  Note  that  all  information-carrying  objects  such  as 
terminals  and  network  sockets  must  be  included  in  the 
authorization  matrix,  (1) 


It  has  been  pointed  out  <ESD75>  that  the  reference  monitor 
must  meet  the  following  engineering  reauirements  to  provide 
a practical  basis  for  multi-level  security; 

a.  Completeness ; The  reference  monitor  must  be 
invoked  on  every  access  to  information. 

b.  Isolation : The  reference  monitor  must  be  protected 

from  unauthorized  tampering. 

c.  Cer tif iability : The  reference  monitor  must  be 

small  enough  and  simple  enough  that  its  correctness  can 
be  verified. 


The  requirement  of  cer tif iabil ity  leads  one  to  conclude  that 
conventional  operating  systems,  communications  processors, 
and  network  processors  cannot  achieve  multi-level  security. 
Not  only  is  the  software  in  such  systems  is  so  complex  and 
so  monolithic  that  it  is  impossible  to  certify  correct,  but 
also  there  is  no  precise,  sufficient  security  criterion  upon 
which  to  base  the  verification. 


The  engineering  requirements  of  the  reference  monitor  lead 
to  the  conclusion  that  an  actual  implementation  reouires  a 
mixture  of  hardware  and  software  support.  The  most 
promising  approach  for  implementing  the  reference  monitor 
j nas  been  called  the  "security  kernel".  <LIP74-2>  To  meet 

the  completeness  reauirement  efficiently,  descriptor  driven 
, i hardware  (2)  is  used  to  mediate  all  references  by  the  CPF  to 

t 

■I 

(1)  In  fact,  the  state  of  the  matrix  itself  is  also 
information  and  must  be  controlled  by  the  monitor.  For  a 

I full  discussion  of  this  issue,  see  Bell  <FEL7B>. 

(2)  Descriptor  driven  processors  include  t^e  Honeywell  Level 
6P,  the  DEC  PDP-11/45,  and  the  Burroughs  6700. 
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meir.ory.  (1)  To  meet  the  isolation  requirement,  the  security 
kernel  software  runs  in  the  most  privileqed  state  of  a 
multiple  state  machine.  The  other  states  are  usei  for  the 
ooeratinq  system  anrf  the  user  code.  Finally,  to  meet  the 
cer ti fiabi 1 i ty  reouirement,  the  security  kernel  software 
must  be  separated  from  the  bulk  of  the  operating  system  and 
subjected  to  a proof  of  correctness.  <'MIf.76> 


III.  Goals  of  ADP  Networks 

The  primary  purpose  of  a network  of  ADP  host  systems  is  to 
provide  convenient  responsive  data  communication  between 
systems.  The  host  computers  are  general  purpose  ADP  systems 
that  directly  interface  with  local  users.  The  network 
interfaces  are  communications  processors  that  in  some 
fashion  interface  between  the  host  computers  and  the  rest  of 
the  network.  Such  a network  must  be  designed  to: 

1.  Provide  information  sharing  by  distributing  data 
bases  among  many  host  computers. 

2.  Provide  resource  sharing  by  making  unique  hosts 
available  on  the  network  and  by  load  sharing  among  host 
computers . 

3.  Provide  information  security  by  ensuring  that  no 
user  obtains  unauthorized  access  to  information. 


This  paper  primarily  addresses  the  requirements  to  meet  the 
goal  of  information  security;  however,  security  should  not 
degrade  other  functional  requirements.  Tnese  include  lucid 
user  interfaces  for  terminal  protocols,  file  transfer 
protocols,  and  remote  job  entry  protocols.  Reasonable 
performance  requirements  include  both  the  ability  to  echo 


(1)  f^achines  such  as  the  PDP-11/45  and  Honeywell  Level  68 
provide  descriptor  based  addressing  from  the  CPU  to  memory, 
but  not  from  I/O  devices  to  memory.  To  maintain  security  in 
these  machines,  I/O  must  be  performed  by  the  security  kernel 
rather  than  by  user  programs  resulting  in  an  increase  inh 
kernel  complexity  and  an  adverse  performance  irroact.  The 
Electronic  Systems  Division  has  sponsored  development  of  a 
Security  Protection  Module  (SPM)  which  can  provide  upwards 
compatible  descriptor  based  addressing  for  a minicomputer 
and  its  I/O  devices,  thus  solving  the  complexity  and 
Performance  problems.  The  £FM  is  being  first  tested  witn  ? 
rugged ized  version  of  the  Honeywell  Level  6 minicomputer  to 
perform  as  a secure  ruggedized  network  front-end  nrocessor. 
<GIL76> 


8 


input  characters  to  remote  full  duplex  terminals  over 
thousands  of  miles  in  under  half  a second  and  also  the 
ability  to  transfer  larqe  ( > 1 00 , OOG , 000  hit;,)  files  at 
effective  transfer  rates  of  bettor  than  10,000  hits  per 
second,  with  error  rates  less  than  1 bit  in  100,000,000 
messages . 


IV.  Issues  in  Network  Security 

The  basic  requirement  of  a secure  network  is  to  provide  a 
protected  path  between  known  subjects  and  information 
<LIP74-1>.  Meeting  this  requirement  decomposes  into  two 
logical  tasks: 

1.  Establishing  the  protected  path;  and 

2.  Protecting  the  protected  path. 


These  tasks  may  be  accomplished  automatically  by  the  network 
or  manually  by  procedures. 


Establishing  the  protected  path  is  the  issue  of 
identification  and  authentication.  An  external  convention 
must  be  agreed  upon  to  identify  users  and  some  type  of 
authentication  to  validate  the  claimed  identity.  The  login 
name-password  combination  of  the  traditional  tire  sharing 
system  may  be  used.  Alternatively,  the  possession  of  a 
cryptographic  key  may  provide  evic^-.-ce  of  a valid  identity. 


Protecting  the  protected  path  breaks  down  into  two  issues: 
protected  communications  and  access  control.  Communications 
links,  of  course,  must  always  be  protected.  Any  traffic 
that  passes  over  physically  insecure  communications  paths 
must  be  enciphered.  Encipherment  normally  occurs  today  on 
communication  links  between  interface  processors  using 
outboard  cryptographic  devices.  (See  figure  3).  Research 
is  on-going  in  end-to-end  encryption  <KEN76>  in  which 
encipherment  occurs  at  the  originating  processor  and 
decipherment  occurs  at  the  destination  processor. 
Intermediate  processors  would  see  only  enciphered  text.  The 
feasioility  of  secure  en  i-to-end  encryption  has  yet  to  ^^e 
demonstrated  in  a packet  switched  computer  network. 


however,  encryption  solves  no  problem,  except  transmission 
security.  If  any  host  or  interface  co:^. outer  handles 
unenc iphered  data  of  any  form  of  multiple  security  levels. 
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then  that  computer  must  provide  certified  secure  access 
control  to  ensure  that  data  is  not  released  to  unauthorized 
users.  In  the  one-level  network  of  Section  S.l  below,  no 
internal  access  controls  are  required.  In  the  one-level 
host  network  of  Section  5.2,  access  controls  are  reouired  in 
the  interface  processors.  In  the  mul ti -level  host  network 
of  Section  5.3,  access  controls  are  required  in  the  host  and 
the  interface  processors. 


V.  Network  Structures 

This  section  will  briefly  describe  several  alternative 
network  structures,  all  of  which  effectively  protect 
classified  information. 


5.1  Cne-Level  Network 

The  single-level  network  structure  (See  Fiqure  4)  provides 
security  without  dependence  on  effective  hardware/software 
controls  in  either  the  host  or  the  interface.  There  is  no 
need  or  purpose  for  security  labels,  although  both  the  host 
and  interface  may  contain  nominal  controls  and  "security 
features"  for  administrative  convenience.  Procedural 
controls  must  insure  that  only  authorized  users  can  access 
any  component  of  the  network;  these  external  controls 
constitute  the  reference  monitor.  Protected  communications 
are  required  to  counter  the  threat  of  phone  taps.  It  must 
be  recognized  that  all  the  users  can  potentially  access  all 
the  information  contained  in  all  the  hosts  of  the  network. 
Tno  one-level  network  is  t'ln  only  network  structure  that  can 
be  readily  realized  without  the  aoijlication  of  advanced  APP 
security  technology. 


5.2  One-Level  Hosts 


This  structure  v/ith  one-level  hosts  and  secure  interfaces 
(See  Figure  5)  can  provide  effective  (although  limited) 
security  controls  in  spite  of  the  inherent  weaknesses  of  the 
host  computers.  The  network  interfaces  must  enforce  the 
security  rules  to  mrevent  data  fromi  flowing  to  the  v/rong 
hosts.  A given  host  can  receive  from  "lower  Invel"  hosts 
an^  send  to  "higher  level"  hosts.  This  control  can  be 
achieved  by  treating  each  host  as  a single  user  with  only 
well-defined  privileges.  The  network  cannot  believe  the 
security  labels  3<=signed  by  the  host,  but  must  ass ign  labels 
based  on  the  level  of  the  host.  Comrun ica t 1 on  paths,  of 
course,  must  be  protected.  As  a practical  matter,  to  be 


effective  (for  security)  the  interface  ,:;ust  be  implementer^ 
as  an  independent  network  processor;  this  processor  must 
provide  a certified  reference  monitor  (viz.,  a "security 
kernel").  The  technology  for  achieving  this  form  of  network 
is  available  (1)  and  is  a reasonable  objective  for  a general 
purpose  communications  network.  The  SATIN  IV  network 
<PAS74-2>  for  the  USAF  Strategic  Air  Command  (SAC)  is  a good 
example . 


5.3  Multi-Level  Hosts 

This  completely  multi-level  structure  (See  Figure  fi)  is 
"stable"  for  access  control.  The  hosts  must  reliably 
identify  the  security  attributes  of  the  information  provided 
to  the  network  interface.  The  network  protects  the 
information  sent  to  the  receiver,  and  the  receiving  host 
believes  the  security  attributes  (e.g.,  labels  on  messanes) . 
The  individual  hosts  must  identify  and  authenticate  their 
own  users.  As  in  other  systems,  communication  paths  must  be 
protected.  This  configuration  recuires  certified  reference 
monitor  components  in  both  the  hosts  and  the  network 
interfaces;  this  capability  is  simply  not  available  nor 
feasible  with  contemporary  computer  systems,  although 
ongoing  development  efforts  <SCHR75,  ADL75>  are  proceeding 
toward  this  end.  The  multi-level  host  structure  is  what  is 
most  often  meant  by  a "secure  data  internetting  system”  and 
nas  been  the  illusive  goal  of  highly  integrated  designs  such 
as  the  World  Wide  Military  Command  and  Control  System 
(VFWMCCS)  <PAS74-1>. 


5.4  Combinations 

Fare  forms  of  the  systems  above  are  not  necessary,  but 
combinations  must  be  based  on  fundamental  security 
principles.  In  particular,  the  reference  monitor  concep 
gives  the  criteria  on  what  is  a secure  structure. 


As  an  example  of  a potential  security  error,  if  a 
single-level  host,  such  as  WWMCCS,  were  attached  to  a 
secure  multi-level  network,  such  as  SATIN  TV,  n security 
compromise  could  occur  if  the  untrustworthy  security  labels 
from:  W.  MCf  S were  passed  on  by  SATIN  IV  to  some  other  system, 
such  as  AiUTCLIN.  In  this  case,  the  V>’>'CC£  machine  could 


(1)  A prototype  security  kernel  that  can  bo  a'^apted  for 
commun  ications  has  been  developed  for  the  FOP-ll/AS  <SC!’75>. 


14 


include  classified  material  in  an  alleqedly  unclassified 
AUTODIN  message  destined  for  an  insecure  terminal. 


VI.  Conclusions 

Computer  networks  may  either  intensify  security  problems  or 
may  provide  meaningful  solutions  to  security  problems, 
depending  on  the  particular  network  design.  In  this  paper, 
we  have  seen  that  it  is  essential  to  apply  fund.amental 
security  principles  to  achieve  security  in  computer  network 
systems.  Underlying  these  principles  is  the  formally 
defined  security  reference  monitor  which  mediates  al] 
references  to  information.  Without  some  form  of  reference 
monitor  (even  if  implemented  as  manual  procedures)  , no 
security  is  possible. 
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r ireccorat'"'  of  CO!T;p'jtor  f y .? r r.  I n .)  inC'^r  i no  prov'ules  rpr 
witii  t'^cbnicn]  ni^rvicen  on  naftnrr.  involvi^q  cofiiDUtor 
t '.'cl'rnolony , bolnn  ['Cr  nysteTi  i^evolof'ocn  t anrl  acouisition 
off  icon  oxoloit  no!T['Liter  technolony  throuqh  enqinoerina 
application  to  ?nhnnce  ^'ir  Force  sysrotis,  anii  develops 
guidance  to  r’inimize  r<yD  end  investment  costs  in  the 
ap'licction  of  computer  technology. 

1 he  Lirectoruto  of  Computer  Systems  Fngineerinq  also 
supp'orts  Al'SC  to  insure  the  transfer  of  corrputer  technology 
and  information  throuohout  the  Con';’. and , inclu<Mnq 
aaintaininq  an  overview  of  all  riotters  pertainina  to  the 
'ic ve  1 opmon  t , acc.u i r=  1 1 ion  , and  use  of  cociouter  resources  in 
rysteo’E  in  all  Civisions,  Centers,  and  Laboratories  and 
{rnvidinq  ?-FSC  with  a corporate  memory  for  all 
L rob  1 oms/sol u t ions  and  developinq  recommendation  for  fCTSF 
programs  and  changes  in  n'lanagemen t policies  to  insure  such 
j ro’aloms  do  not  reoccur. 
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